Bugzilla – Bug 863087
VUL-0: python-gnupg: several security fixes to prevent shell code injection
Last modified: 2017-05-26 19:13:18 UTC
Version 0.3.6 of python-gnupg includes several security fixes. 3 CVEs where assigned to this problems. From the CHANGE LOG: "Note also that this release includes security improvements, so all users are encouraged to upgrade." CVE-2013-7323 Unrestricted use of unquoted strings in a shell, within version 0.3.4 CVE-2014-1927 Erroneous assumptions about the usability of " characters within version 0.3.5, leading to attacks such as $( command substitution within a "-quoted string CVE-2014-1928 Erroneous insertion of a \ character within version 0.3.5, leading to attacks involving command lists (such as lists separated by a ; character) This problem needs to be addressed to openSUSE:12.3 and openSUSE:13.1. References: http://seclists.org/oss-sec/2014/q1/243 https://code.google.com/p/python-gnupg/ https://code.google.com/p/python-gnupg/issues/detail?id=98#c4 https://bugzilla.redhat.com/show_bug.cgi?id=1061599
bugbot adjusting priority
I'm not sure why this bug is assigned to maintenance@opensuse.org. Alexandre, if you have a fix, please open a maintenancerequest with your fixed package. (keep in mind to add the bugids, cveids and added/changed patches to your changelog-entry) Thanks! Reassigned to Alexandre.
openSUSE 13.1, 13.2 and Factory still need this fixed
Factory/Tumbleweed has 0.3.8, so fixed. Couldn't find a reference in the packages for 13.1, 13.2 to this CVE or bug, so seems to be not fixed yet.
13.1,13.2 is EOL. Leap 42.2 is at 0.3.7 Closing.